Carnegie Mellon University School of Computer Science

AFS Permissions - Access Control Lists

AFS uses Access Control Lists (ACLs) to determine permissions for accessing data. An ACL is a set of Kerberos instances, IP addresses, and/or AFS Groups along with an associated AFS permission.

For example, the ACL for the directory /afs/ has entries for:

    wwwsrv:http-ftp rl
   system:anyuser rl
   example rlidwka

The above ACL gives just "read" and "lookup" rights to the special groups wwwsrv:http-ftp and system:anyuser, and all AFS ACL permissions to the user "example".

ACLs allow very flexible control over who may access data in AFS. Some features of ACLs and AFS access permissions are:

  • ACLs apply only to directories in AFS, not to files.
  • AFS ignores standard Unix permissions (the ones you set with the chmod command), with the exception of the file owner mode bits (see the section below on protecting individual files for details).
  • The owner of a directory can always change the ACL on that directory, no matter what the ACL is (so you can fix things if you accidentally remove yourself from the ACL of a directory you own).
  • When you create a directory, it automatically inherits the ACL of its parent directory.
  • In order to access a subdirectory, one must have "l" (lookup) permissions on all parent directories.

Important note: Because top-level AFS user directories in SCS are created by default with fairly liberal ACLs, you may need to take special precautions to protect confidential information in AFS.  For example, the "mbox" file created by some Unix mail programs and Emacs "shell.CKP" files will not be protected by the standard Unix permissions if they are created in AFS. You should make sure that directories that are used to store email and other sensitive files have appropriate ACLs.

AFS permissions and their meaning

There are seven standard AFS permissions, each referred to by one of the letters r, l, i, d, w, k and a. The lida permissions apply to directories and the rwk permissions apply to files.

Directory permissions

ACL Permissions
l (lookup) Allows one to list the contents of a directory. It does not allow the reading of files.
i (insert) Allows one to create new files in a directory or copy new files to a directory.
d (delete) Allows one to remove files and sub-directories from a directory.
a (administer)

Allows one to change a directory's ACL. The owner of a directory can always change
the ACL of a directory any subdirectories in that directory.

File permissions

ACL Permissions
r (read) Allows one to read the contents of file in the directory.
w (write) Allows one to modify the contents of files in a directory and use chmod on them.
k (lock) Allows programs to lock files in a directory.

Normal and negative AFS permissions

An ACL can be either "normal" or "negative". Normal rights grant the specified access permissions, while negative rights allow one to cancel specific permissions for a user or group on an ACL.

How to list and change AFS ACLs

The fs command (which should be in /usr/local/bin on Facilitized Unix hosts) is used to list and change ACLs.

When specifying directory rights using fs, the following shortcuts may be used:

Shortcut Permissions
all  rlidwka
read rl
write rlidwk
none removes all entries 

How to list an ACL

The command fs listacl <directory-name> will list the ACL of a directory. You can abbreviate "listacl" to "la" for the same result.

 fs la /afs/cs/user/example

will produce the output:

Access list for /afs/cs/user/example is
  Normal rights:
     wwwsrv:http-ftp rl
     system:anyuser rl
     example rlidwka

You can use the command fs help listacl to list the complete set of options.

How to add a user or group to an ACL

The command fs setacl -dir <directory> -acl <acl entries> will add the given ACLs to the given directory.

fs setacl -dir /afs/cs/user/example -acl jsmith rl

The example above will give the user "jsmith" read and lookup rights on the directory /afs/cs/user/example.

As a shortcut, you can abbreviate "setacl" to "sa" and/or leave out the "-dir" and "-acl" as long as you maintain the arguments in the order given 

fs sa /afs/cs/user/example  jsmith rl

You can also use the "-clear" switch on a fs setacl command to completely clear the previous ACL when setting new entries. Be careful not to remove your own administrative rights when doing so.

How to remove a user or group from an ACL

To remove a user or group from an ACL, give, assign the user or group the access permission "none". 

fs setacl -dir /afs/cs/user/example -acl jsmith none

The example above would remove the user "jsmith" from the access list for /afs/cs/user/example.

How to set negative ACL entries

To set negative ACL entry, use the -negative switch to the appropriate fs command. 

fs setacl -dir /afs/cs/user/example -acl jsmith rl -negative

The example above would set negative read and lookup rights for user "jsmith".

How to copy ACLs

To copy an ACL for dir1 to dir2 use the command:

fs copyacl -fromdir <dir1> -todir <dir2>

This command will copy all ACL entries from dir1 to dir2, overwriting those on dir2 that already exist and keeping the ones that don't conflict with ACL entries on dir1. You can use the "-clear" switch to completely replace the ACL of dir2.

How to change the ACLs of directory tree in AFS

If you want to set an ACL for a directory in AFS and all of its sub-directories, you can use the fsr command. The fsr command uses the same syntax as the fs command for listing and changing AFS ACLs. Unlike fs, fsr operates on the specified folder and all subfolders.

fsr setacl /afs/ -acl system:anyuser rl

The above command would add the acl system:anyuser rl to the directory /afs/ and all of its subdirectories.

How to protect individual files

AFS ignores all but the owner Unix mode bits on files. Turning off the "r" bit removes read access to a file for everyone, including the owner. Turning off the "w" bit removes write access to a file for everyone, including the owner. Turning off the "x" bit disallows execution of a file for everyone, including the owner.

How to make an AFS directory private

To make an AFS directory so that only you can read and administer the contents, you should remove all entries ACLs except one for you. A quick way to do this is with the command:

fs setacl; <directory> your-username all -clear 
fs setacl /afs/cs/user/example/private example all -clear

Note the example command above will remove all access for others to all subdirectories of the given directory. If you want others to access subdirectories, but still prevent reading of files in the top-level directory, you should add "l" access for selected users or groups to the top-level directory's ACL.

How to make a "drop box" directory

A "drop box" directory is a directory that people can copy files to but not read, delete, or write to files that are already in the directory. For example, if one were teaching a class one could use such a directory as an upload area for homework. To create such a directory, create a private directory and then add "il" only rights for the pts group or user that should have rights to create files in that directory.